Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Save value of a field of one event and compare it with all other found events

ckunath
Communicator
‎04-06-2017 02:07 AM

Hello,

I have a list of three events, each of them has the same ID in the field ID. One event containing a field that states PRINT=Y.
The other two events being ACTION=PRINT and ACTION=NO_PRINT.
I want to add a field that checks if the done action was correct by checking that if PRINT was Y, and the event states ACTION=PRINT its value becomes "ok".

The table should look like this:

Action -- Validation
1. PRINT -- ok
2. NO_PRINT -- error

How can I do this? If I want to eval a field, it only evaluates the value of the field with PRINT=Y in it, and I can't seem to use it for the other two events.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-06-2017 03:08 AM

Hi ckunath,
you should try something like this:

your_search 
| transaction ID
| eval check=if(PRINT="Y" AND ACTION="PRINT","ok","error")
| table _time PRINT ACTION check

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-06-2017 03:08 AM

Hi ckunath,
you should try something like this:

your_search 
| transaction ID
| eval check=if(PRINT="Y" AND ACTION="PRINT","ok","error")
| table _time PRINT ACTION check

Bye.
Giuseppe

Reply
Solved! Jump to solution

ckunath
Communicator
‎04-06-2017 04:00 AM

Hi giuseppe,

thanks a lot for your quick response!
It does work, but it groups all events into one table row and I need to have the events separated..

For the events

20170102 ID=100 ACTION=PRINT
20170102 ID=100 ACTION=NO_PRINT
20170101 ID=100 PRINT=Y

I need a table like this

2017-01-02 -- PRINT -- ok
2017-01-02 -- NO_PRINT -- error
2017-01-02 --  --

Do you know a way to do that? I appreciate your help!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-06-2017 04:13 AM

Hi Hi ckunath,,
last year I did the same question, see the answer https://answers.splunk.com/answers/341972/how-do-i-separate-the-results-of-a-transaction-to.html.
Bye.
Giuseppe

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...